Contact us

Blog: What is Social Engineering?

12/09/16

Social engineering is an umbrella term for a range of methods for illegally accessing systems, buildings, locations or gaining information through manipulation of people, usually circumventing any and all security controls. These techniques can be used as part of a wider attack against organisations or in isolation to achieve a specific aim. While technical controls can be used to enforce security, almost all can be overridden by an appropriate human element.

Social engineering attacks are designed to trick unsuspecting people into performing actions or broadcasting confidential information. Understanding human psychology is key. Simple techniques such as holding a large box near an entrance to a building may result in a helpful employee holding an access controlled door open. A number of other common techniques are listed below:

• Baiting – Leaving a data storage device, such as a USB drive or CD/DVD in an appropriate place with the intention for it to be found and plugged into the victim’s computer.

• Phishing – Sending forged emails to victims from an apparently trusted source, in order to deploy malware, trick users into divulging passwords or other sensitive information.

• Spear Phishing – A targeted version of phishing where the email is bespoke to a specific individual, usually someone in a privilege position (such as a systems administrator) or position of authority (such as a Finance Director)

• Scareware – Tricking the victim into thinking their computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker’s real malware.

How can companies prevent an attack?

Security awareness training focussed on combatting social engineering attacks should be delivered throughout the entire organisation. This training should be based around the organisation’s security policies, standards and procedures with an appropriate minimum level of measurable awareness for all employees. Metrics can be provided by surveys, tests or assessment of the results of exercises. Enhanced awareness training should be given to those with privileged access or who deal with sensitive information.

Upon induction all employees should complete the training and annually renew this, metrics should be available to ensure that employees have completed the training, how effective it is and that it hasn’t expired.

Some suggested awareness topics:

• Dealing with cold calling and queries carefully
• Plan what to do in the event of an unidentified person in the office
• Define when to raise the alarm and incident management
• Be aware of suspicious emails
• Avoid inappropriate web usage
• Safe use of removable media
• Think about mobile security out of the office
• Your individual responsibility for awareness and security
• Secure your offices, doors and barriers
• Be aware of the use of social media and its role in social engineering

Delivery of training will be dependent on each organisation. Some will require face-to-face training in small groups, others will prefer Computer-Based Training (CBT) or YouTube style videos. Ideally some form of check should be performed to ascertain whether the person fully understands what is needed of them, such as a quiz or score able interactive training delivery. Key to the effectiveness of this delivery will be consistency of message and frequent updates. Social engineering attackers are ingenious and continually develop new techniques – so must we in order to protect ourselves against them.

Are you prepared?

Capita’s Cyber Security consultancy team can assess your security awareness through a series of exercises, which mimic a real-life attack on the organisation without the malicious intent. The majority of businesses now have annual penetration testing against their information systems but many do not address potentially the weakest and most impacting element, the human.

We will work with you to scope out a series of assessments which could include an email phishing exercise, gaining sensitive information through a telephone call, or a physical site visit to test whether someone could infiltrate your building and gain access to systems or information.

Our team use the Open Source Security Testing Methodology Manual (OSSTMM) which is designed to test operational security and provides a legal framework and code of conduct. A number of phases are defined in this: